As the 2021 holiday shopping season approaches, we anticipate that this year we will probably again see significant growth in online shopping volumes as the global economy gathers steam. Starting on November 25 this year, the Thanksgiving to Christmas shopping season is already being highly anticipated by avid shoppers, and retailers are bracing for the biggest sale season of the year.
The huge number of discounts during the holiday shopping season, with many popular products expected to reach their lowest ever prices ─ has always been a huge crowd-puller. However, with Covid restrictions still underway in many places, the majority of these sales have moved online since last year, which also means that fraudsters and cybercriminals will be waiting to take advantage of vulnerable shoppers and retailers for their own profit. Using sophisticated bots helps parties with malicious intentions quickly and easily carry out various attacks on websites and apps. Though bots are prevalent on e-commerce stores throughout the year, their activity dramatically increases leading up to the peak shopping season between Thanksgiving and Christmas.
Today, a variety of sophisticated bots are sold online, and many of them are specialized in executing attacks. Some bot developers even provide customer support to help users get the most out of them. It is now common for fraudsters, cybercriminals, and nefarious competitors to deploy bots for malicious activities such as Scalping, Price and Content Scraping, Cart Abandonment (also known as Denial of Inventory), Account Takeover, Carding, and Application DDoS (Distributed Denial of Service).
These bot attacks can be very harmful to e-commerce operations and their customers, as detailed below:
- Account takeover (ATO): – Online sales events see traffic spikes not only from customers wanting to buy desired goods, but also from fraudsters and cybercriminals making use of bots to carry out fraudulent purchases on e-commerce sites using stolen user credentials. ATO is usually executed using techniques such as credential cracking (password guessing) and credential stuffing (verifying lists of breached/ leaked log-in credentials). Once an account is taken over, criminals can make unauthorized transfers, or buy goods using any stored virtual currencies such as reward points, wallet balances, air miles, gift cards, and more.
- Inventory exhaustion: During a sales event, attackers try to hold-up up inventory or carry out cart abandonment attacks. Attackers often try to evade detection systems by using ‘low and slow’ attacks that make just one or two hits from multiple IP addresses (such as hijacked residential routers). Hence it is crucial for website operators and security heads to be able to identify any anomalous behavior on their network and act on the threat immediately. Non-availability of products can cause dissatisfaction among buyers, who could possibly choose to shop at competing portals.
- Bandwidth choking: With a surge of bot traffic on a retailer’s website, it is quite possible that the Web application and its supporting internet bandwidth and network infrastructure can get choked up, slowing down page loads or even taking the site offline. Such a situation prevents consumers from accessing the website or app to buy their desired products. E-commerce firms must effectively mitigate malicious bot traffic to prevent strain to their Web and app infrastructure, protect their brand, and improve the customer experience.
- Price and content scraping by competition: Competitors often use bots also engage in systematic price and content scraping campaigns during the sales season to undercut your pricing strategy, figure out your marketing strategy, and lure buyers to their website. Companies must take effective measures to protect their pricing strategies from competitors. Doing a security audit of third-party applications along with their own can help the company identify and seal any loopholes in their system prior to the shopping season.
- Gift card & wallet fraud: Virtual currencies such as reward points, gift cards, air miles and any wallet balances attract fraudsters who try to cash out balance or use them to make purchases. As gift cards usually have minimal security protection, they are a tempting target for fraudsters during big sales events. These criminal activities lead to loss of customers’ trust, negative publicity, and even litigation. Using sophisticated traffic handling mechanisms can curb malicious traffic from entering Web applications and carrying out such attacks.
Top security best practices to protect your eCommerce enterprise this holiday season.
We recommend that e-commerce operators start with proactive optimization of their rules for Web pages expected to receive high traffic, and implementing a system for real time monitoring of anomalies and optimization of rules for visitor handling. Online retailers would be well advised to learn about their vulnerabilities to bot attacks to help prepare their defenses. To learn about the extent of your vulnerabilities to automated attacks, we recommend taking advantage of Radware’s free, no-obligation Bad Bot Vulnerability Scanner service which probes your website and app for exploitable weaknesses that can allow malicious bot traffic to attack your e-commerce portal. We also provide a detailed report after the scan that gives you insights and specific recommendations on how to protect your business from bot threats.
Contact us at email@example.com for more information to help you prepare for a successful holiday sales season.